Vista Activation Cracked by Brute Force

Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"

Re:Easy Fix

[Brian Gordon]

I think the program actually tries the keys on its own algorithm, and when it finds a valid one it tells you to submit it to microsoft.

Re:MS would owe at least the key

[Anonymous Coward]

It seems that this technique doesn't test against the microsoft server, but can tell if a key is valid on the local computer, which would actually be news.

Re:Easy Fix

[richy freeway]

You're right. You have to monitor your Vista key to see if it's changed, using the Jellybean Keyfinder. When you spot it's changed you have to manually attempt an activation. If it fails then you leave it running longer until the key changes again, then retry activation. Repeat until activation succeeds.

Re:Easy Fix

[Odiumjunkie]

> All Microsoft has to do is block the IP address that is requesting thousands of activations on > separate, invalid keys per second. RTFA. That's nothing like how this works. The actual activation part is totally manual, only the key generation is automated. You can generate keys without any kind of network connectivity.

Re:MS would owe at least the key

[Anonymous Coward]

And if that is true, then perhaps collecting enough valid keys could lead to discovering the actual 'validation function' and removing the need for brute force.

Huh? They've got the validation function, that's how this works.

The problem is that it's one-way and reversing it is mathematically hard, so it's easier just to try a scatter-gun approach.

it is useless

[WARM3CH]

It seems that this technique doesn't test against the microsoft server, but can tell if a key is valid on the local computer, which would actually be news.

This is not really that important if a key is validated in a local computer or not. Any key needs to be finally validated by the servers: Out of all possible valid keys that pass the validation on a local computer, only very very tiny number of them are actually keys that have been (or will be) issued by Microsoft. Think of it like this: with 25 symbols for the keys you have a huge huge search space A. Now, this program finds the keys that are valid according to the magic formula that Vista validation system uses. All these keys form a very very tiny subset of A, called B. However, the set of keys that Microsoft has already issued (or will ever issue), set C, is only very very tiny subset of B. This program finds random keys in the B but to actually validate Vista with them, user has to contact Microsoft's servers to see if the key are part of the C or not. This is where the whole things breaks down next to being totally useless. (this is the same story with the CD-Keys of the mutli-player games...)

Re:MS would owe at least the key

[GIL_Dude]

Business users (at least large ones) won't be using Retail media on many machines. Since this is a crack for retail there would be no effect on people using MAK or KMS validations as the majority of corporations would be doing. (Yes, I know that for those few corps that want to use Ultimate on some of their machines this could be an issue because Ultimate requires retail activation). However for VL (Business and Enterprise versions) MAK and KMS would be unaffected.

Re:MS would owe at least the key

[Anonymous Conrad]

This is not a brute force hacker, but just a database of some key with a fancy interface on top that pretends to be calculation just just updates a progress bar. The database will release some key after some hours of "calculation". Users notice that the (enterprise?) key is accepted and tell it works. MS will notice some volume keys are used too often wan will block them at the next wga update (and the next service pack)

No, that's not how new the volume license system works. There's two classes of volume license key for Vista:

• Multiple Activation Key - will only work a limited number of times
• Key Management Services - requires a local license server that maintains the count of keys used and communicates with Microsoft

neither of which will work with your scheme.

Re:MS would owe at least the key

[DJCacophony]

Yes, I believe it is every six months, as that is the interval by which Windows Vista retail must be re-activated anyways.

Re:MS would owe at least the key

[cswiger2005]

Once Vista sets the activated flag, does it actually check for revocation of activation at some prescribed interval?

Why, yes. Rechecking the activation key against an updated list of revoked licenses takes place as part of the periodic updates to "Windows Validation" delivered via Windows Update. In practice under XP, this happens every month to every few months. Depending on your settings and whatever the future might bring, it might well be the case that machines will be checking for updates & possibly re-validating themselves every week.

Having RTFA...

[d3ac0n]

AND having gone to the site and read through the ENTIRE thread on their forums;

What we have here is a random number/letter guesser. It's basically a VB Script that guesses random numbers and letters in a string that is the same length as a Vista Key, then inserts it into the registry, overwriting the existing Vista key. You use Magic Jellybean to check when the key has changed, and then manually check it against MS's activation service. Really this is little more than a person manually sitting down and making key guesses. This is why it's called a "Brute Force" attack. There is no intelligence (ie: an algorithm) behind the key guesses at all.

That said, because it IS so simple, it's almost impossible for MS to defend against, since they can't just "ban" any keys made by it like they would a traditional algorithmic keygen. Also, there is an improved version of it posted as source on the boards there, so if you want to take a peek at the code you can.

Here is a link to the forum post in question: http://keznews.com/forum/viewtopic.php?t=2634 [keznews.com]

Re:MS would owe at least the key

[Brian Gordon]

Since it's a vbscript the code is wide open. Look for yourself, this is a legitimate brute forcer.

Not in the UK

[Toby_Tyke]

Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it.

That may be the case in the US, but in the UK things work slightly differently. If I buy a copy of Vista from a store and it is faulty, for what ever reason, I can return it to the store for a full refund or a replacement. The legalese is "fit for purpose" and "of merchantable quality". Clearly, a copy of vista with an invalid licence key is not fit for purpose.

Incidentally, most of the big shrinkwrap software stores in the UK try to get out of doing this if they can. Just be persistent.

Brute force Crack

[gyranthir]

There is a brute force algorithm crack for every Microsoft product I have ever seen.

I saw one at a LAN party that had every copy of windows, every copy of office, and a whole bunch of Microsoft products.

You would set it and forget it. It would generate a key, test it and then if it was good put it in a log file, if it was bad it would attempt to generate another.

This kid had a list of probably 1000 WinXp pro keys that had generated just because he was bored.

Re:Welcome to the non free world.

[julesh]

Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others.

There's this little thing called an implied warranty of fitness for a particular purpose. When you buy something -- anything -- unless it has large letters on the outside of the box saying that it doesn't work, it comes with one. It states that, basically, if you use the product for the purpose for which it is marketed (i.e., with software, try to run it on a computer), it will perform that purpose to at least a basic level.

It is not legally possible for MS's EULA to disclaim this warranty, it's a basic right that you get when you buy something.

When you buy something that doesn't meet this warranty, you're entitled to a full refund. Whether you've opened the package or not.

Re:MS would owe at least the key

[PPH]

Every 6 months I have to explain myself and prove my innocense?

In Soviet Russia .... oh never mind.

Re:MS would owe at least the key

[Taelron]

Not according to Microsoft... According to their speakers at the MS Vista launch event, even the Home and Ultimate versions need to call Microsoft every 180 days to verify their key.

The buisness users can purchase an "Activation server" they maintain in house and can configure their workstations to call it to verify they have legit keys. The Activation server in house still has to call Microsoft every 180 days to verify all the license information it has.

The in house Activation server came about because of Government and Private organizations that want to have unconnected secured networks. Though the "Activation Server" needing to call MS every few months can result in a "potential breach" or extra wasted IT staff hours as you call the phone number to manually activate again...

Another option you have, though Microsoft claims that they did not enable it in Vista, as Volume License keys will be used in house only and no longer shipped out to customers, are the MAK license options in their Volume license 2.0 program. But as I said, MS claimed at their launch day event they will not be shipping any such versions of Vista...

http://www.microsoft.com/technet/windowsvista/plan /faq.mspx [microsoft.com]

Re:MS would owe at least the key

[PitaBred]

Some necessary things DO require WGA. I just installed a patch to make my work laptop hibernate correctly, because I recently upgraded it to 2GB of RAM. I had to go through the WGA check on their web page to download that patch. It's ONLY "security" related patches that are sent out regardless of WGA status.

Re:MS would owe at least the key

[deathy_epl+ccs]

So wait... Microsoft is requiring you to run a server just to run their fucking operating system? It adds NO value whatsoever to the company using it, yet takes their electricity, time and resources to maintain? Does that sound absolutely asinine to ANYONE else? Wouldn't a CTO/CIO be slightly annoyed at having to allocate extra resources just to run an operating system whose only real function is to allow the real work to get done?

Your assumption here seems to stand on rather shaky ground, though... I'm sure that you can run more services than just the authentication mechanism - I would expect that you'd probably want to run the license authentication service on your domain controller or something similar, unless you're in a really gigantic shop.

Re:MS would owe at least the key

[deathy_epl+ccs]

How is it any different than needing a corporate license server for Autocad, or Rational, or any of the other software commonly licensed this way on the corporate level? It's not like these license servers are terribly difficult to maintain.

I think you imagine the maintenance to be a lot harder than it really is. Maintaining a single license server has, in my experience, been easier than maintaining hundreds of keys individually.

Sit down, son. (I might have known your mother)

[Beardo the Bearded]

Read the "Surviving the first day of Windows XP".

Quit downloading everything in your email. If you don't recognize the name, delete it.

Don't click "Yes" to every security certificate. You should accept Microsoft's, and that's it.

You don't require new cursors or smiley programs for your emails. The new "Hyper-Exelent Surf 3000 Toolbar by Lucky 88 Company" is not going to make your life easier. Likewise, if you want to know the weather, look outside or in your local paper.

PC Cleaning programs from pop-up ads don't work. Actually, anything advertised on the Internet should be considered fraudulent. (Yes, even "those" pills. They're just bull semen and corn starch.)

Get your programs from sourceforge, not from the first link on Google. Make sure that Spybot and Mike's adblocking are installed on your machine.

The people who write viruses have anti-virus programs to test their work on.

For the sake of whatever god you believe in, get a hardware firewall!

Run ShieldsUP! from grc.com to make sure that you're invisible.

Re:MS would owe at least the key

[Anonymous Coward]

Please, PLEASE repeat after me:

I have not nor I am ever likely to BUY/PURCHASE software from Microsoft. I have purchased/bought a LICENSE to use Microsoft software under THEIR terms.

Essentially, you have RENTED an item and person/entity is checking to make sure you are using it in accordance with applicable laws and within the terms of the license/rental agreement you accepted.